No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

The Psychology of Phishing Victims and How to Overcome it

Using Training to Avert Cyberattacks

by Stu Sjouwerman
July 16, 2020
in Cybersecurity
The Psychology of Phishing Victims and How to Overcome it

Phishing is often cited as responsible for more than 90% of all breaches. KnowBe4 founder and CEO Stu Sjouwerman provides practical guidance on how to mitigate this leading cyber risk.

Sponsored

Phishing is perhaps the greatest security risk that organizations face today. While companies tend to focus their cybersecurity efforts on technical defenses, the truth is that most cyberattacks take advantage of human fallibility. Data breaches and security incidents often start with phishing attacks, as Verizon’s 2020 Data Breach Investigations Report makes clear.

Successful cybercriminals take advantage of people, exploiting their usual pattern of thinking to gain access to personal information and accounts. Certain cognitive biases are widespread and extremely detrimental to online security, but this is not an insurmountable problem. With the right security awareness training, you can build a company culture that’s naturally resistant to cyberattacks and resilient in the face of security incidents. (Note: my company offers a suite of free phishing tools to phish your own employees.)

Cognitive Biases

Before you tackle the problem, it may be helpful to understand the psychology of phishing victims. A paper by Georgia Crossland, Ph.D. researcher at the Centre for Doctoral Training in Cyber Security, highlights two major psychological issues that lead people to misjudge potential security threats: overconfidence and fatalistic thinking.

“It Will Never Happen to Me”

Whether you call it optimism bias or overconfidence, people are alarmingly good at seeing risks in society and erroneously deciding that they only apply to other people. This leads most people to believe that they are less likely than others to experience negative events, from contracting a virus to being in a car crash to becoming the victim of an online scam.

“It’s Going to Happen Anyway”

Fatalistic thinking is also very common. Sometimes people feel that certain risks are beyond their control. They may decide that there’s nothing they can do to prevent these things from happening, so what’s the point of trying? If you believe that phishing attacks are inevitable, then you may decide it’s not worth taking precautions.

While this sounds like the opposite of overconfidence, the two thought patterns lead to the same endpoint: People fail to act to prevent or reduce risk. This creates a foundation for scammers to build upon.

Social Engineering

Cybercriminals rely upon social engineering to trick victims into replying to bogus emails, volunteering personal information, clicking on links to malware and opening attachments containing malware. Classic phishing techniques are all about emulating something familiar to the person being targeted, whether it’s a bank, an online service they use or the HR person of the company they work for. This familiarity leads victims to drop their guard.

Even well-crafted phishing scams usually contain telltale signs that people will often notice if they stop and think about it. That’s why cybercriminals create a false sense of urgency designed to persuade people to act immediately. This can be the carrot or the stick. For example, the threat that your account will be closed if you don’t respond quickly, or the promise of a pay out if you comply now.

By exploiting psychology, scammers can turn targets into victims.

Phishing is often just the first stage of a larger, more serious attack. It’s too easy to blame the victims here and decry employees as the weak link in your cybersecurity. But shaming people and pointing the finger is not an effective way forward. What organizations need to do is find a way to include employees, empower them and encourage a company culture that values security.

Security Awareness Training

It’s vital to have a mandatory security awareness training program in place for your employees, but there’s no reason it can’t be inclusive and fun. Rather than making it mandatory, training should engage participants and empower them. Make sure that you focus on rewarding the kind of behavior you want to see in the workplace and keep punitive action as a last resort.

Cybersecurity should be the responsibility of every employee, not an abstracted function of InfoSec professionals or IT departments.

If you get everyone to buy in, you can create a culture that dramatically reduces cybersecurity risks. A recent MIT Sloan Management Review article highlights three pillars of high-reliability organizations (HROs) that can be usefully applied to cybersecurity:

  1. Cultivate hypervigilance: People should be constantly watchful for any signs of cybersecurity threats, for themselves, the people around them and the wider organization. Speaking up should be encouraged and rewarded. When people turn a blind eye to potential issues, they grow into major problems.
  2. Respond quickly: Identify incidents swiftly and respond immediately. Having clear security procedures with established responsibilities and chains of communication will help enormously here. It’s crucial that people don’t bury their heads in the sand when security problems do inevitably crop up. The faster you react, the better your chances of limiting the negative impact of an incident.
  3. Share knowledge: Every failure is an opportunity to learn. Knowledge must be shared freely and widely. Security incidents should inform future policies. Successful cybersecurity strategies are constantly evolving and improving. People must work together and help each other to improve security company-wide.

Because smaller businesses may not have the same level of security resources, they tend to be easier targets for hacktivists. Traditional GRC offerings can be expensive and hard to manage without intervention by consultants. Going to the cloud offers reprieve on this front, and that’s where SaaS-based GRC platforms come into play. The KCM GRC platform (developed by my company KnowBe4) affords ready-made templates for quick compliance evaluations and reporting. Centralized policy distribution and tracking helps users remain compliant, as does flagging risky users.

While it won’t happen overnight, there are lots of easy, practical, useful steps you can take to overcome the psychology of phishing victims and improve your cybersecurity posture.

About KnowBe4

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 33,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.


Tags: CybercrimeData BreachTraining
Previous Post

Smarsh Introduces Voice Capture and Archiving for MS Teams

Next Post

Bolstering Compliance as Global COVID Fraud Enforcement Takes Shape

Stu Sjouwerman

Stu Sjouwerman

SjouwermanStu Sjouwerman is founder and CEO of KnowBe4 [NASDAQ: KNBE], developer of security awareness training and simulated phishing platforms, with 41,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at ssjouwerman@knowbe4.com.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

2023 EEOC and Employers: Investigating Harassment and Discrimination

2023 EEOC and Employers: Investigating Harassment and Discrimination

by Aarti Maharaj
March 14, 2023

With employment discrimination on the rise, EEOC encourages employers to provide anti-harassment training to their employees and managers and to...

Onboarding Best Practices for Millennial and All Employees

Onboarding Best Practices for Millennial and All Employees

by Aarti Maharaj
March 14, 2023

Reducing turnover and fast-tracking new employees to productivity is a key business imperative. The reality is that about 30 percent...

Risk Analysis in the Medical Device Design Process

Risk Analysis in the Medical Device Design Process

by Aarti Maharaj
February 24, 2023

Medical Devices by their very nature must be safe for human use and must meet the requirements for which they...

Next Post
Gavel Law Hammer with Coronavirus Covid-19 3D image

Bolstering Compliance as Global COVID Fraud Enforcement Takes Shape

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT